The
IM and
Presence Service only requires impersonation permissions on the
account to enable it to log in to that account when it connects to the Exchange
Server. Note that this account does not typically receive mail so you do not
need to be concerned about allocating space for it.

Windows Security
Policy Settings

The
IM and
Presence Service supports NTLMv1 Windows Integrated authentication
only and does not currently support NTLMv2.

Some Windows
network security policies allow NTLMv2 authentication only, which prevents the
integration between the
IM and
Presence Service and Exchange from functioning (both WebDAV and EWS).
You must verify that NTLMv2 authentication is not enabled on each Windows
server running Exchange. If NTLMv2 authentication is enabled, disable the
setting and reboot the server to properly apply the new security setting.

The
IM and
Presence Service only requires impersonation permissions on the
account to enable it to log in to that account when it connects to the Exchange
Server. This account does not typically receive mail so you do not need to be
concerned about allocating space for it.

Verifying
Permissions on the Microsoft Exchange 2007 Account

After you
have assigned the permissions to the Exchange 2007 account, you must verify
that the permissions propagate to the mailbox level and that a specified user
can access the mailbox and impersonate the account of another user. On Exchange
2007, it takes some time for the permissions to propagate to mailboxes.

Verify that the
Client Access Server (CAS) is listed for th e service node that you chose.

Step 5

View the
"Properties"
of each CAS, and under the Security tab, verify that:

Your service
account is listed.

The
permissions granted on the services account indicate (with a checked check box)
that the Exchange Web Services Impersonation permission is allowed on the
account.

Note

If the account
or the impersonation permissions do not display as advised in Step 5, you may
need to recreate the service account and ensure that the required impersonation
permissions are granted to the account.

Step 6

Verify that the
service account (for example, Ex2007) has been granted Allow
impersonationpermission on the storage group and the mailbox store to enable it
to exchange personal information and to Send As and Receive-As another user
account.

Step 7

You may be
required to restart the Exchange Server for the changes to take effect. This
has been observed during testing.

Before You
Begin

Before you
use Exchange Web Services (EWS) to integrate Exchange 2010 Server with the
IM and
Presence Service, ensure that you configure the following throttle
policy parameter values on the Exchange Server. These are the values that are
required for the EWS calendaring integration with the
IM and
Presence Service to work.

It
has been observed during Cisco tests that the default throttling policy value
is sufficient to support 50% calendaring-enabled users. If you have a higher
load of EWS requests to the Client Access Server (CAS), we recommend
that you increase this parameter to 100.

Windows Security
Policy Settings

The
IM and
Presence Service supports NTLMv1 Windows Integrated authentication
only and does not currently support NTLMv2.

Some Windows
network security policies allow NTLMv2 authentication only, which prevents the
integration between the
IM and
Presence Service and Exchange from functioning (both WebDAV and EWS).
You must verify that NTLMv2 authentication is not enabled on each Windows
server running Exchange. If NTLMv2 authentication is enabled, disable the
setting and reboot the server to properly apply the new security setting.

Run this
New-ManagementRoleAssignment command to define the scope to which the
impersonation permissions apply. In this example, the
Ex2010
account is granted the permission to impersonate all accounts on
a specified Exchange Server.

Verifying
Permissions on the Microsoft Exchange 2010 Account

After you have
assigned the permissions to the Exchange 2010 account, you must verify that the
permissions propagate to mailbox level and that a specified user can access the
mailbox and impersonate the account of another user. On Exchange 2010, it takes
some time for the permissions to propagate to mailboxes.

Procedure

Step 1

On the Active
Directory Server, verify that the Impersonation account exists.

Step 2

Open the
Exchange Management Shell (EMS) for command line entry.

Step 3

On the
Exchange Server verify that the service account has been granted the required
Impersonation permissions:

Run this
command in the EMS:

Get-ManagementRoleAssignment -Role ApplicationImpersonation

Ensure
that the command output indicates role assignments with the Role
ApplicationImpersonation for the specified account as follows:

Example Command Output

Name - - - -

Role - - -

Role AssigneeName-

Role AssigneeType-

Assignment Method- - -

Effective
UserName

_suImpersonate
RoleAs

Application
Impersonation

ex2010

User

Direct

ex2010

Step 4

Verify that
the management scope that applies to the service account is correct:

Run this
command in the EMS:

Get-ManagementScope _suImpersonateScope

Ensure
that the command output returns the impersonation account name as follows:

Example Command
Output

Name - - -

Scope RestrictionType

Exclusive

Recipient Root - -

Recipient Filter -

Server Filter- - -

_suImpersonate
Scope

ServerScope

False

User

Direct

Distinguished
Name

Step 5

Verify that
the ThrottlingPolicy parameters match what is defined in
Table 1 by running this command in the
EMS.

Enable
Authentication on the Exchange 2007 and Later Editions Virtual Directories

For the
Exchange Web Services (EWS) integration to work properly, Basic Authentication,
Windows Integrated Authentication, or both must be enabled on the EWS virtual
directory (/EWS) for Exchange 2007 and Exchange 2010.